Networking
如果使用直接 IP 而不是除了 Host 標頭之外的域,HTTP 伺服器可能會返回不同結果的一些原因是什麼?
在某些情況下,有一個 HTTP(s) 伺服器有一些我正在嘗試代理的資產,我需要使用 IP 地址而不是域來這樣做。經過一些故障排除後,我意識到如果我發出 HTTP 請求,我
https://202.100.200.152/sushi/
會得到響應,並且只有在使用域時才會得到我想要的響應https://sp.water.contoso.com/sushi/
。我確定 HTTP(s) 伺服器前面有一個代理,可以在整個地方路由連接。我無法訪問此伺服器,所以我認為它是一個黑匣子。我想也許它會通過主機頭檢查域,但是當我覆蓋它時它仍然不起作用。
我想知道除了 HOST 標頭之外還有哪些其他因素導致我沒有得到我想要的響應。
我用 CURL 模擬了BAD響應:
curl -k -v -I -H 'Host: sp.water.contoso.com' https://202.100.200.152/sushi/ * Trying 202.100.200.152... * TCP_NODELAY set * Connected to 202.100.200.152 (202.100.200.152) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/cert.pem CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * ALPN, server did not agree to a protocol * Server certificate: * subject: CN=*.water.contoso.com * start date: Feb 11 18:53:34 2020 GMT * expire date: Feb 10 18:53:35 2022 GMT * issuer: CN=ingress-operator@3582449223 * SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway. > HEAD /sushi/ HTTP/1.1 > Host: sp.water.contoso.com > User-Agent: curl/7.64.1 > Accept: */* > * HTTP 1.0, assume close after body < HTTP/1.0 503 Service Unavailable HTTP/1.0 503 Service Unavailable < Pragma: no-cache Pragma: no-cache < Cache-Control: private, max-age=0, no-cache, no-store Cache-Control: private, max-age=0, no-cache, no-store < Connection: close Connection: close < Content-Type: text/html Content-Type: text/html < * Excess found in a non pipelined read: excess = 3131 url = /sushi/ (zero-length body) * Closing connection 0 * TLSv1.2 (OUT), TLS alert, close notify (256):
然後是CURL的GOOD響應
curl -v -I -k https://sp.water.contoso.com/sushi/ * Trying 202.100.200.152... * TCP_NODELAY set * Connected to sp.water.contoso.com (202.100.200.152) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/cert.pem CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server accepted to use http/1.1 * Server certificate: * subject: C=US; ST=CA; L=Silicon Valley; O=Cupcake; OU=contoso Data Platform; emailAddress=contoso-adp@us.contoso.com; CN=contoso-Data-and-AI * start date: Oct 29 04:33:35 2019 GMT * expire date: Jan 30 04:33:35 2022 GMT * issuer: C=US; ST=CA; L=Silicon Valley; O=Cupcake; OU=contoso Data Platform; emailAddress=contoso-adp@us.contoso.com; CN=contoso-Data-and-AI * SSL certificate verify result: self signed certificate (18), continuing anyway. > HEAD /sushi/ HTTP/1.1 > Host: sp.water.contoso.com > User-Agent: curl/7.64.1 > Accept: */* > < HTTP/1.1 200 OK HTTP/1.1 200 OK < Server: openresty Server: openresty < Date: Wed, 17 Jun 2020 17:46:01 GMT Date: Wed, 17 Jun 2020 17:46:01 GMT < Content-Type: text/html; charset=UTF-8 Content-Type: text/html; charset=UTF-8 < Content-Length: 266 Content-Length: 266 < Connection: keep-alive Connection: keep-alive < X-Powered-By: Express X-Powered-By: Express < Accept-Ranges: bytes Accept-Ranges: bytes < Cache-Control: public, max-age=0 Cache-Control: public, max-age=0 < Last-Modified: Tue, 02 Jun 2020 21:26:35 GMT Last-Modified: Tue, 02 Jun 2020 21:26:35 GMT < ETag: W/"10a-17276edcaf8" ETag: W/"10a-17276edcaf8" < X-Frame-Options: DENY X-Frame-Options: DENY < * Connection #0 to host sp.water.contoso.com left intact * Closing connection 0
從 CURL 輸出中可以看出,兩者都使用相同的 IP,並且
>
部分錶明它們發送相同的標頭。伺服器返回不想要的頁面的一些可能原因是什麼?
這裡的原因是當您向 IP 地址發出請求時,TLS Server Name Indication 欄位包含主機的 IP 地址,而不是域。
您正在連接的伺服器為 IP 地址和不同的域名定義了不同的虛擬主機。為 IP 地址定義的虛擬主機不提供您正在尋找的服務。
為了使用 curl 發送正確的 TLS 伺服器名稱指示欄位,您需要使用以下
--resolve
參數:curl --resolve sp.water.contoso.com:443:209.100.200.152 https://sp.water.contoso.com/sushi/
這將告訴伺服器應該與
sp.water.contoso.com
虛擬主機建立 TLS 連接,而不是 IP 地址。添加 HTTP
Host
標頭僅對 HTTP 協議有效。